Thursday, 5 March 2015

Understanding sudo, su and /etc/sudoers file

Understanding of "/etc/sudoers" file is very important for any system administrator. It can come handy anytime.

Here, I will explain various tips and tricks of "sudoers" file.

First, we need to understand what is the difference between sudo and su.

su :
The su command switches to the superuser or root user. When we execute it with no additional options, we will have to enter the root account’s password. We can also use it to switch to any user account. If we execute the "su manoj" command, we will be prompted to enter manoj's password and the shell will switch to "manoj's" user account.

Sudo runs a single command with root privileges. When we execute sudo command, the system prompts us for current user account’s password before running command as the root user. You may run other privileged commands using sudo within a five-minute period without being re-prompted for a password. All commands run as sudo are logged in the log file /var/log/messages and /var/log/auth.log.

The sudo privilege for users is controlled by "/etc/sudoers" file.

We should always edit the file using "visudo". Never use vi or vim because the syntax of  "sudoers" file is very important. If you mess it, you will have to get into rescue mode to correct it.

So be careful to use, visudo

TIP 1: All Access to Specific Users

You can grant users "manoj" and "manu" full access to all privileged commands, with this sudoers entry:

user1, user2  ALL=(ALL) ALL

In the above example:

user1,user2 : name of user to be allowed to use sudo
ALL : Allow sudo access from any terminal ( any machine ).
(ALL) : Allow sudo command to be executed as any user.
ALL : Allow all commands to be executed.

This is not a good way because this will allow user1 and user2 to use the su command to grant themselves permanent root privileges thereby bypassing the command logging features of sudo.

TIP 2: Access To Specific Users To Specific Files

This entry allows user1 and all the members of the group "class" to gain access to all the program files in the /sbin and /usr/sbin directories, plus the privilege of running the command /usr/slash/

user1, %class ALL= /sbin/, /usr/sbin, /usr/slash/

TIP 3: Access Without Needing Passwords

This example allows all users in the group "class" to execute all the commands in the /sbin directory without the need for entering a password.

%class ALL= NOPASSWD: /sbin/

TIP 4: Adding users to the wheel group

When a server had to be maintained at a higher level than the day-to-day system administrator, root rights were often required. The 'wheel' group was used to create a pool of user accounts that were allowed to get that level of access to the server. If you weren't in the 'wheel' group, you were denied access to root.

Edit the configuration file (/etc/sudoers) with visudo and change these lines:

# Uncomment to allow people in group wheel to run all commands

# %wheel ALL=(ALL) ALL

To this (as recommended):

# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL

This will allow anyone in the wheel group to execute commands using sudo (rather than having to add each person one by one).

Now finally use the following command to add any user (e.g- user1) to Wheel group
# usermod -G wheel user1

TIP 5:
Never ask for password

We can configure in such a way that,  a sudo user is never asked for sudo password, while running any commands.

This can be done by adding an entry as below:

Kool :)

No comments:

Post a Comment

Note: only a member of this blog may post a comment.